CVE-2026-22243

CVSS v4.0

8.7

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions EGroupware versions prior to 23.1.20260113 EGroupware versions prior to 26.0.20260113

Description EGroupware is a web-based groupware server written in PHP. A SQL Injection issue exists in the core components of EGroupware, specifically in the

Nextmatch

filter processing. Authenticated attackers can inject arbitrary SQL commands into the

WHERE

clause of database queries. This is possible due to a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the

is int()

security check. The vulnerable component is the

Nextmatch

filter.

Recommendations Update EGroupware to version 23.1.20260113 or later. Update EGroupware to version 26.0.20260113 or later.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-22243

GHSA-RVXJ-7F72-MHRX

Affected Products

Egroupware

CVE-2026-22243

Weakness Enumeration

Related Identifiers

Affected Products

References · 10